ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Proxy failed to join domain


Article ID: 171808


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


After upgrade to 6.7.x SGOS you are trying to join Proxy to domain in IWA Direct and when you try to join getting error message "nerr_dcnotfound".

error nerr_dcnotfound


During Domain Controller Selection Mechanism, The ProxySG / ASG appliance (using IWA-Direct)  queries an SRV record in DNS and sends an "LDAP ping" packet to the DCs that it finds. The LDAP ping is a small LDAP-over-UDP packet. In this scenario Domain controller is rejecting UDP pings. 

In LSA debug you can see something like

"TRACE: netlogon - [LWNetSrvPingCLdapThread() lwnet.c:927] Failed CLDAP ping"




Force proxy to use TCP on ldap pings by using the commands below in CLI (use SSH console)

#conf t
#(config)security windows-domains
#(config windows-domains)ldap-ping-protocol tcp